Coq's sumor Type

After the post on subsets (the sig type), and the one on decision procedures (the sumbool type)(and also after a few months moving to a new continent/country/city for a new job ;)), we now try to have a look at the sumor type. Again, this is a beginner's Coq development … feel free to criticise/correct/comment it.

The type of pred_sumor_sig cannot be more expressive from an input/output point of view; it takes any natural and returns either a natural with a proof that it is the predecessor, or a proof that the input is zero.

We just give a name to the type of functions which decide equality on a given type:

DefinitionEq_decisionA :=forallab : A, { a = b } + { a <> b }.

And here is the first List.find. Given a list A, an element and an equality decision function, it returns either a natural which is the index at which the element was found, or a proof that the element is absent from the list:

That was astonishingly easy.
The tactic intuition gets rid of all the true subgoals, the last False one just requires one inversion.

I tried to add mistakes to persuade myself … for instance, I replaced Sumor left (Sig yes 0) by Sumor right or by Sumor left (Sig yes 1), and, indeed, the proof was impossible in these cases (for instance, you may end up having to prove False without any contradiction in the hypotheses, etc.).

That was nice but this implementation can be used for an even more precise type: we can say that the index found is the one of the first element matching.

My first attempt at a specification got stuck in the mud because of an operator precedence problem:

The implementation of find_one_index has the same function body, but a more tedious proof.
First, one thing to remember: when using destruct or induction after the definition of a fixpoint, it is useful to remove the recursive call with a clear frec(The problem is that the thing deconstructed is also deconstructed inside the fixpoint, which is then kind of not equal to itself … you get a “Proof Completed” and then it breaks while type checking. See also the comments of bug 2558.).
Second, there is a tricky subgoal which is not discharged by intuition or inversion; I did not manage to clean that yet: it is bad proof which depends on the order of subgoals and references Coq-generated variable names (like H2, H3, x0, etc.).

Conclusion

That's all for now with the sumors … With sig, sumbool, and sumor, I guess we can express almost anything useful, but as Adam Chlipala says we have only ‘scratched the tip of the iceberg’ … so, we'll continue digging in the following episodes.